Images are not selected using a digest

Description

In some cases you may prefer to use a fixed version of an image, rather than update to newer versions. Docker enables you to pull an image by its digest, specifying exactly which version of an image to pull.

Pulling using a digest allows you to “pin” an image to that version, and guarantee that the image you’re using is always the same. Digests also prevent race-conditions; if a new image is pushed while a deploy is in progress, different nodes may be pulling the images at different times, so some nodes have the new image, and some have the old one. Services automatically resolve tags to digests, so you don't need to manually specify a digest.

Fix - Runtime

CLI Command

To make sure the container always uses the same version of the image, you can specify its digest; replace <image-name>:<tag> with <image-name>@<digest> (for example, image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2).

The digest uniquely identifies a specific version of the image, so it is never updated by Kubernetes unless you change the digest value.

Fix - Buildtime

Kubernetes

• Resource: image
• Argument: digest

apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2

{
      "creator": 7,
      "id": 2110,
      "image_id": null,
      "images": [
        {
          "architecture": "amd64",
          "features": "",
          "variant": null,
+         "digest": "sha256:1ae98b2c895d1ceeba8913ff79f422f005b7f967a311da520a88ac89180b4c39",
          "os": "linux",
          "os_features": "",
          "os_version": null,
          "size": 87342331
        }
      ],
      "last_updated": "2017-04-06T20:16:24.015937Z",
      "last_updater": 2215,
      "last_updater_username": "stackbrew",
      "name": "centos5",
      "repository": 54,
      "full_size": 87342331,
      "v2": true
    }